National Vulnerability Database

Subscribe to National Vulnerability Database feed
This feed contains the most recent CVE cyber vulnerabilities published within the National Vulnerability Database.
Updated: 22 hours 21 sec ago

CVE-2018-8890

Fri, 10/12/2018 - 09:29
An information disclosure vulnerability in the Management Console of BlackBerry UEM 12.8.0 and 12.8.1 could allow an attacker to take over a UEM user's session and perform administrative actions in the context of the user.
Categories: Security News

CVE-2018-1533

Fri, 10/12/2018 - 07:29
IBM Rational Publishing Engine 6.0.5 and 6.0.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 142431.
Categories: Security News

CVE-2018-1534

Fri, 10/12/2018 - 07:29
IBM Rational Publishing Engine 6.0.5 and 6.0.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 142432.
Categories: Security News

CVE-2018-1770

Fri, 10/12/2018 - 07:29
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 148686.
Categories: Security News

CVE-2018-1844

Fri, 10/12/2018 - 07:29
IBM FileNet Content Manager 5.2.1 and 5.5.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150904.
Categories: Security News

CVE-2018-18226

Fri, 10/12/2018 - 02:29
In Wireshark 2.6.0 to 2.6.3, the Steam IHS Discovery dissector could consume system memory. This was addressed in epan/dissectors/packet-steam-ihs-discovery.c by changing the memory-management approach.
Categories: Security News

CVE-2018-18227

Fri, 10/12/2018 - 02:29
In Wireshark 2.6.0 to 2.6.3 and 2.4.0 to 2.4.9, the MS-WSP protocol dissector could crash. This was addressed in epan/dissectors/packet-mswsp.c by properly handling NULL return values.
Categories: Security News

CVE-2018-18225

Fri, 10/12/2018 - 02:29
In Wireshark 2.6.0 to 2.6.3, the CoAP dissector could crash. This was addressed in epan/dissectors/packet-coap.c by ensuring that the piv length is correctly computed.
Categories: Security News

CVE-2018-1838

Fri, 10/12/2018 - 01:29
IBM WebSphere Application Server 8.5 and 9.0 in IBM Cloud could allow a remote attacker to obtain sensitive information caused by improper handling of passwords. IBM X-Force ID: 150811.
Categories: Security News

CVE-2017-1231

Fri, 10/12/2018 - 01:29
IBM BigFix Platform 9.5 - 9.5.9 stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 123910.
Categories: Security News

CVE-2018-1673

Fri, 10/12/2018 - 01:29
IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 145108.
Categories: Security News

CVE-2018-17927

Thu, 10/11/2018 - 18:29
In Delta Industrial Automation TPEditor, TPEditor Versions 1.90 and prior, multiple out-of-bounds write vulnerabilities may be exploited by processing specially crafted project files lacking user input validation, which may cause the system to write outside the intended buffer area and may allow remote code execution.
Categories: Security News

CVE-2018-17929

Thu, 10/11/2018 - 18:29
In Delta Industrial Automation TPEditor, TPEditor Versions 1.90 and prior, multiple stack-based buffer overflow vulnerabilities may be exploited by processing specially crafted project files lacking user input validation before copying data from project files onto the stack and may allow an attacker to remotely execute arbitrary code.
Categories: Security News

CVE-2018-12441

Thu, 10/11/2018 - 17:29
The CorsairService Service in Corsair Utility Engine is installed with insecure default permissions, which allows unprivileged local users to execute arbitrary commands via modification of the CorsairService BINARY_PATH_NAME, leading to complete control of the affected system. The issue exists due to the Windows "Everyone" group being granted SERVICE_ALL_ACCESS permissions to the CorsairService Service.
Categories: Security News

CVE-2018-18257

Thu, 10/11/2018 - 17:01
An issue was discovered in BageCMS 3.1.3. An attacker can delete any files and folders on the web server via an index.php?r=admini/template/batch&command=deleteFile&fileName= or index.php?r=admini/template/batch&command=deleteFolder&folderName=../ directory traversal URI.
Categories: Security News

CVE-2018-18258

Thu, 10/11/2018 - 17:01
An issue was discovered in BageCMS 3.1.3. The attacker can execute arbitrary PHP code on the web server and can read any file on the web server via an index.php?r=admini/template/updateTpl&filename= URI.
Categories: Security News

CVE-2018-15766

Thu, 10/11/2018 - 15:29
On install, Dell Encryption versions prior 10.0.1 and Dell Endpoint Security Suite Enterprise versions prior 2.0.1 will overwrite and manually set the "Minimum Password Length" group policy object to a value of 1 on that device. This allows for users to bypass any existing policy for password length and potentially create insecure password on their device. This value is defined during the installation of the "Encryption Management Agent" or "EMAgent" application. There are no other known values modified.
Categories: Security News

CVE-2018-18215

Thu, 10/11/2018 - 11:29
In youke365 v1.1.5, admin/user.html has a CSRF vulnerability that can add an user account.
Categories: Security News

CVE-2018-9206

Thu, 10/11/2018 - 11:29
Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload <= v9.22.0
Categories: Security News

CVE-2018-18242

Thu, 10/11/2018 - 10:29
youke365 v1.1.5 has SQL injection via admin/login.html, as demonstrated by username=admin&pass=123456&code=9823&act=login&submit=%E7%99%BB+%E9%99%86.
Categories: Security News

Pages